<!DOCTYPE html>
<html lang="en">
<head>
        <script async src="https://www.googletagmanager.com/gtag/js?id=UA-58643-34"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', "UA-58643-34");
    </script>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>The FinFisher dropper &#039;wgetTest&#039; found in the leaked ~36GB torrent for Linux cre - Pastebin.com</title>
    <link rel="shortcut icon" href="/favicon.ico" />
    <meta name="description" content="Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time." />
    <meta property="og:description" content="Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time." />
            <meta property="fb:app_id" content="231493360234820" />
    <meta property="og:title" content="The FinFisher dropper &#039;wgetTest&#039; found in the leaked ~36GB torrent for Linux cre - Pastebin.com" />
    <meta property="og:type" content="article" />
    <meta property="og:url" content="https://pastebin.com/jkndLHQf" />
    <meta property="og:image" content="https://pastebin.com/i/facebook.png" />
    <meta property="og:site_name" content="Pastebin" />
    <meta name="google-site-verification" content="jkUAIOE8owUXu8UXIhRLB9oHJsWBfOgJbZzncqHoF4A" />
    <link rel="canonical" href="https://pastebin.com/jkndLHQf" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=yes">
        <meta name="csrf-param" content="_csrf-frontend">
<meta name="csrf-token" content="Nmpzp1HZiqTBy1DewqoYx11TURxTzC1WI2Hd-S4E5IpHWBjSKb-y5piTZeuJmH6wKCc5QwymYixsPpKvcVyW5Q==">

<link href="/assets/c80611c4/css/bootstrap.min.css" rel="stylesheet">        
<link href="/themes/pastebin/css/vendors.bundle.css?ec0a0b6023b5e6c9982d" rel="stylesheet">
<link href="/themes/pastebin/css/app.bundle.css?ec0a0b6023b5e6c9982d" rel="stylesheet">
    
<!-- 0-x2xy94pJ -->
<script type="text/javascript" src="//services.vlitag.com/adv1/?q=adf050ece17b957604b4bbfc1829059f" defer="" async=""></script><script> var vitag = vitag || {};</script>
<!-- End Valueimpression Head Script -->
<script>
     vitag.smartBannerConfig= {
          disablePosition:  "top right left",
     }
</script>
<script type="text/javascript">
        if (window.location.pathname === "/") {
            vitag = vitag || {};
            vitag.outStreamConfig = vitag.outStreamConfig || {};
            vitag.outStreamConfig.enablePC = false;
        }
    </script>
</head>
<body class="night-auto " data-pr="x2xy94pJ" data-pa="" data-sar="1" data-abd="1">


<div class="wrap">

        
        
<div class="header">
    <div class="container">
        <div class="header__container">

                        <div class="header__left">
                <a class="header__logo" href="/">
                    Pastebin                </a>

                <div class="header__links h_1024">
                    
                    <a href="/doc_api">API</a>
                    <a href="/tools">tools</a>
                    <a href="/faq">faq</a>
                                    </div>

                
                <a class="header__btn" href="/">
                    paste                </a>
            </div>

                        <div class="header__right">

                                    <div class="header_sign">
                        <a href="/login" class="btn-sign sign-in">Login</a>
                        <a href="/signup" class="btn-sign sign-up">Sign up</a>
                    </div>
                
            </div>

        </div>
    </div>

</div>
        

    <div class="container">
        <div class="content">

                        
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:20px; padding-top:20px;">
<div class="adsbyvli" data-ad-slot="vi_1282550010"></div><script>(vitag.Init = window.vitag.Init || []).push(function(){viAPItag.display("vi_1282550010")})</script>
</div>

                                    
            
            
<link href="/themes/pastebin/css/geshi/light/asm.css?694707f98000ed24d865" rel="stylesheet">

<div class="post-view">

    
    <div class="details">
                    <div class="share h_800">
                <div data-url="https://pastebin.com/jkndLHQf" class="share-btn facebook js-facebook-share" title="Share on Facebook!"><span>SHARE</span></div>
                <div data-url="https://pastebin.com/jkndLHQf" class="share-btn twitter js-twitter-share" title="Share on Twitter!"><span>TWEET</span></div>
            </div>
                <div class="user-icon">
                            <img src="/themes/pastebin/img/guest.png" alt="Guest User">                    </div>
        <div class="info-bar">
            <div class="info-top">

                
                
                <h1>Untitled</h1>
            </div>
            <div class="info-bottom">

                                    <div class="username">
                        a guest                    </div>
                
                <div class="date">
                    <span title="Wednesday 6th of August 2014 12:59:53 PM CDT">Aug 6th, 2014</span>

                                    </div>

                <div class="visits" title="Unique visits to this paste">
                    1,986                </div>

                <div class="expire" title="When this paste gets automatically deleted">
                    Never                </div>
            </div>
        </div>
    </div>

                        <div class="page">
                <div class="content__text -no-padding">
                    <div class="notice -post-view">
                        <b>Not a member of Pastebin yet?</b>
                        <a href="/signup"><b><u>Sign Up</u></b></a>,
                        it unlocks many cool features!                    </div>
                </div>
            </div>
        
    
    <div class="highlighted-code">
        <div class="top-buttons">
            <div class="left">
                <a href="/archive/asm" class="btn -small h_800">ASM (NASM)</a> 3.43 KB            </div>

            <div class="right">
                                    <a href="/raw/jkndLHQf" class="btn -small">raw</a>
                    <a href="/dl/jkndLHQf" class="btn -small">download</a>
                    <a href="/clone/jkndLHQf" class="btn -small h_800">clone</a>
                    <a href="/embed/jkndLHQf" class="btn -small h_800">embed</a>
                    <a href="/print/jkndLHQf" class="btn -small h_800">print</a>
                
                                    <a href="/report/jkndLHQf" class="btn -small">report</a>
                
                
                            </div>
        </div>
        <div class="source" style="font-size: px; line-height: px;">
            <ol class="asm"><li class="li1"><div class="de1">The FinFisher dropper <span class="st0">'wgetTest'</span> found <span class="kw1">in</span> the leaked ~36GB torrent for Linux creates a random directory <span class="kw1">in</span> <span class="sy1">/</span>home<span class="sy1">/</span><span class="sy2">$</span>USER selecting from the following list<span class="sy1">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E0 common_directories_to_infect <span class="kw5">dd</span> offset a_cache</div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; DATA XREF: count_infection_element_paths_and_names+10o</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; get_and_create_infection_dir_and_filename+68r ...</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.cache&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E4 off_804D0E4 &nbsp; &nbsp; <span class="kw5">dd</span> offset a_dbus &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; DATA XREF: FFB8F40Co</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E4 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.dbus&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0E8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_fontconfig &nbsp;<span class="co1">; &quot;.fontconfig&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0EC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_gconf &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.gconf&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0F0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_gnome &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.gnome&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0F4 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_gnome2 &nbsp; &nbsp; &nbsp;<span class="co1">; &quot;.gnome2&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0F8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_kde &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.kde&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D0FC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_local &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.local&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D100 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_qt &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; &quot;.qt&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D104 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_ssh &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.ssh&quot;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">So<span class="sy1">,</span> an example could be <span class="sy1">/</span>home<span class="sy1">/</span>joxean<span class="sy1">/.</span>cache<span class="sy1">/.</span> Then<span class="sy1">,</span> a <span class="kw1">sub</span><span class="sy1">-</span>directory inside this directory is selected from the following list<span class="sy1">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D140 <span class="co1">; char **possible_files_to_detect_infection[6]</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D140 possible_files_to_detect_infection <span class="kw5">dd</span> offset a_config</div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D140 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; DATA XREF: count_infection_element_paths_and_names+42o</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D140 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; get_and_create_infection_dir_and_filename+104r ...</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D140 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.config&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D144 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_bin &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.bin&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D148 off_804D148 &nbsp; &nbsp; <span class="kw5">dd</span> offset a_sbin &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; DATA XREF: FFB8F408o</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D148 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.sbin&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D14C off_804D14C &nbsp; &nbsp; <span class="kw5">dd</span> offset a_etc &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.etc&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D150 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_cfg &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;.cfg&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D154 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset a_apps &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; &quot;.apps&quot;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">So<span class="sy1">,</span> an example could be <span class="sy1">/</span>home<span class="sy1">/</span>asier<span class="sy1">/.</span>cache<span class="sy1">/.</span>sbin<span class="sy1">.</span> Then<span class="sy1">,</span> the dropper patches itself <span class="kw1">and</span> copies <span class="br0">&#40;</span>patched<span class="br0">&#41;</span> <span class="kw1">in</span> the selected directory with the following name<span class="sy1">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="kw5">data</span><span class="sy1">:</span>0804D1A0 <span class="co1">; char *g_likely_executable_names[8]</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1A0 g_likely_executable_names <span class="kw5">dd</span> offset aCpuset</div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1A0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; DATA XREF: count_infection_element_paths_and_names+74o</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1A0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; check_already_infected+396o ...</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1A0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;cpuset&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1A4 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aKthreadd &nbsp; &nbsp; <span class="co1">; &quot;kthreadd&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1A8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aKsnapd &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;ksnapd&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1AC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aUdevd &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; &quot;udevd&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1B0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aDbusDaemon &nbsp; <span class="co1">; &quot;dbus-daemon&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1B4 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aAtd &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; &quot;atd&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1B8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aCrond &nbsp; &nbsp; &nbsp; &nbsp;<span class="co1">; &quot;crond&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="kw5">.data</span><span class="sy1">:</span>0804D1BC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw5">dd</span> offset aHald &nbsp; &nbsp; &nbsp; &nbsp; <span class="co1">; &quot;hald&quot;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">So<span class="sy1">,</span> again<span class="sy1">,</span> an example process could be <span class="sy1">/</span>home<span class="sy1">/</span>joe<span class="sy1">/.</span>cache<span class="sy1">/.</span>sbin<span class="sy1">/</span>atd<span class="sy1">.</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">When the file is dropped <span class="kw1">and</span> patched then the main dropper forks <span class="kw1">and</span> the child executes the dropped process with a line similar to the following one<span class="sy1">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="br0">&#40;</span><span class="sy1">...</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; chdir<span class="br0">&#40;</span>infection_path<span class="br0">&#41;</span><span class="co1">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; execl<span class="br0">&#40;</span>infection_command<span class="sy1">,</span> infection_command<span class="sy1">,</span> <span class="st0">&quot;80.so&quot;</span><span class="sy1">,</span> <span class="st0">&quot;RunDll&quot;</span><span class="sy1">,</span> <span class="nu0">0</span><span class="br0">&#41;</span><span class="co1">;</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#40;</span><span class="sy1">...</span><span class="br0">&#41;</span></div></li>
</ol>        </div>
    </div>

    
                
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:10px; padding-top:10px;">
<div class="adsbyvli" style="width:970px; height:250px" data-ad-slot="vi_1282567605"></div> <script>(vitag.Init = window.vitag.Init || []).push(function () { viAPItag.display("vi_1282567605") })</script>
</div>

        <div class="content__title -no-border">
            RAW Paste Data        </div>

        <textarea class="textarea">The FinFisher dropper &#039;wgetTest&#039; found in the leaked ~36GB torrent for Linux creates a random directory in /home/$USER selecting from the following list:

.data:0804D0E0 common_directories_to_infect dd offset a_cache
.data:0804D0E0                                         ; DATA XREF: count_infection_element_paths_and_names+10o
.data:0804D0E0                                         ; get_and_create_infection_dir_and_filename+68r ...
.data:0804D0E0                                         ; &quot;.cache&quot;
.data:0804D0E4 off_804D0E4     dd offset a_dbus        ; DATA XREF: FFB8F40Co
.data:0804D0E4                                         ; &quot;.dbus&quot;
.data:0804D0E8                 dd offset a_fontconfig  ; &quot;.fontconfig&quot;
.data:0804D0EC                 dd offset a_gconf       ; &quot;.gconf&quot;
.data:0804D0F0                 dd offset a_gnome       ; &quot;.gnome&quot;
.data:0804D0F4                 dd offset a_gnome2      ; &quot;.gnome2&quot;
.data:0804D0F8                 dd offset a_kde         ; &quot;.kde&quot;
.data:0804D0FC                 dd offset a_local       ; &quot;.local&quot;
.data:0804D100                 dd offset a_qt          ; &quot;.qt&quot;
.data:0804D104                 dd offset a_ssh         ; &quot;.ssh&quot;

So, an example could be /home/joxean/.cache/. Then, a sub-directory inside this directory is selected from the following list:

.data:0804D140 ; char **possible_files_to_detect_infection[6]
.data:0804D140 possible_files_to_detect_infection dd offset a_config
.data:0804D140                                         ; DATA XREF: count_infection_element_paths_and_names+42o
.data:0804D140                                         ; get_and_create_infection_dir_and_filename+104r ...
.data:0804D140                                         ; &quot;.config&quot;
.data:0804D144                 dd offset a_bin         ; &quot;.bin&quot;
.data:0804D148 off_804D148     dd offset a_sbin        ; DATA XREF: FFB8F408o
.data:0804D148                                         ; &quot;.sbin&quot;
.data:0804D14C off_804D14C     dd offset a_etc         ; &quot;.etc&quot;
.data:0804D150                 dd offset a_cfg         ; &quot;.cfg&quot;
.data:0804D154                 dd offset a_apps        ; &quot;.apps&quot;

So, an example could be /home/asier/.cache/.sbin. Then, the dropper patches itself and copies (patched) in the selected directory with the following name:

data:0804D1A0 ; char *g_likely_executable_names[8]
.data:0804D1A0 g_likely_executable_names dd offset aCpuset
.data:0804D1A0                                         ; DATA XREF: count_infection_element_paths_and_names+74o
.data:0804D1A0                                         ; check_already_infected+396o ...
.data:0804D1A0                                         ; &quot;cpuset&quot;
.data:0804D1A4                 dd offset aKthreadd     ; &quot;kthreadd&quot;
.data:0804D1A8                 dd offset aKsnapd       ; &quot;ksnapd&quot;
.data:0804D1AC                 dd offset aUdevd        ; &quot;udevd&quot;
.data:0804D1B0                 dd offset aDbusDaemon   ; &quot;dbus-daemon&quot;
.data:0804D1B4                 dd offset aAtd          ; &quot;atd&quot;
.data:0804D1B8                 dd offset aCrond        ; &quot;crond&quot;
.data:0804D1BC                 dd offset aHald         ; &quot;hald&quot;

So, again, an example process could be /home/joe/.cache/.sbin/atd.

When the file is dropped and patched then the main dropper forks and the child executes the dropped process with a line similar to the following one:

(...)
      chdir(infection_path);
      execl(infection_command, infection_command, &quot;80.so&quot;, &quot;RunDll&quot;, 0);
(...)</textarea>
    
        
</div>            <div style="clear: both;"></div>

                        
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:20px; padding-top:20px;">
<div class="adsbyvli" data-ad-slot="vi_1282577474" style="width: 970px; height: 90px"></div><script>(vitag.Init = window.vitag.Init || []).push(function(){viAPItag.display("vi_1282577474")})</script>
</div>
        </div>

        <div class="sidebar h_1024">
            



                
    <div class="sidebar__title">
        <a href="/archive">Public Pastes</a>
    </div>
    <ul class="sidebar__menu">

                    <li>
                <a href="/Fq2x020K">ingresar</a>
                <div class="details">
                                            Python |
                    
                    1 min ago
                    | 0.29 KB                </div>
            </li>
                    <li>
                <a href="/fp2ZnSJU">funciones</a>
                <div class="details">
                                            Python |
                    
                    2 min ago
                    | 0.23 KB                </div>
            </li>
                    <li>
                <a href="/Ltemy1DW">2021-12-23_stats.json</a>
                <div class="details">
                                            JSON |
                    
                    20 min ago
                    | 5.81 KB                </div>
            </li>
                    <li>
                <a href="/QnD1FMin">calculadora</a>
                <div class="details">
                                            Python |
                    
                    23 min ago
                    | 5.14 KB                </div>
            </li>
                    <li>
                <a href="/zAzVyg8P">Course Schedule - Leetcode</a>
                <div class="details">
                                            Java |
                    
                    33 min ago
                    | 1.50 KB                </div>
            </li>
                    <li>
                <a href="/vRJfEAty">Paste Ping</a>
                <div class="details">
                                            C |
                    
                    34 min ago
                    | 0.02 KB                </div>
            </li>
                    <li>
                <a href="/trAmneiA">Untitled</a>
                <div class="details">
                                            Java |
                    
                    56 min ago
                    | 4.56 KB                </div>
            </li>
                    <li>
                <a href="/rhmrKN5j">4520</a>
                <div class="details">
                                            JavaScript |
                    
                    1 hour ago
                    | 0.00 KB                </div>
            </li>
        
    </ul>
            

    <div class="sidebar__sticky -on">
                
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:10px; padding-top:20px;">
<div class="adsbyvli" data-ad-slot="vi_1282578983" style="width: 300px; height: 600px"></div><script>(vitag.Init = window.vitag.Init || []).push(function(){viAPItag.display("vi_1282578983")})</script>
</div>
    </div>
        </div>
    </div>
</div>


    
<div class="top-footer">
    <a class="icon-link -size-24-24 -chrome" href="/tools#chrome" title="Google Chrome Extension"></a>
    <a class="icon-link -size-24-24 -firefox" href="/tools#firefox" title="Firefox Extension"></a>
    <a class="icon-link -size-24-24 -iphone" href="/tools#iphone" title="iPhone/iPad Application"></a>
    <a class="icon-link -size-24-24 -windows" href="/tools#windows" title="Windows Desktop Application"></a>
    <a class="icon-link -size-24-24 -android" href="/tools#android" title="Android Application"></a>
    <a class="icon-link -size-24-24 -macos" href="/tools#macos" title="MacOS X Widget"></a>
    <a class="icon-link -size-24-24 -opera" href="/tools#opera" title="Opera Extension"></a>
    <a class="icon-link -size-24-24 -unix" href="/tools#pastebincl" title="Linux Application"></a>
</div>

<footer class="footer">
    <div class="container">
        <div class="footer__container">

            <div class="footer__left">
                <a href="/">create new paste</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                                <a href="/languages">syntax languages</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/archive">archive</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/faq">faq</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/tools">tools</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/night_mode">night mode</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_api">api</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_scraping_api">scraping api</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/news">news</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/pro" class="pro">pro</a>

                <br>
                <a href="/doc_privacy_statement">privacy statement</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_cookies_policy">cookies policy</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_terms_of_service">terms of service</a><sup style="color:#999">updated</sup> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_security_disclosure">security disclosure</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/dmca">dmca</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/report-abuse">report abuse</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/contact">contact</a>

                <br>

                                
                <br>

                
<span class="footer__bottom h_800">
    By using Pastebin.com you agree to our <a href="/doc_cookies_policy">cookies policy</a> to enhance your experience.
    <br>
    Site design &amp; logo &copy; 2021 Pastebin</span>
            </div>

            <div class="footer__right h_1024">
                                    <a class="icon-link -size-40-40 -facebook-circle" href="https://facebook.com/pastebin" rel="nofollow" title="Like us on Facebook" target="_blank"></a>
                    <a class="icon-link -size-40-40 -twitter-circle" href="https://twitter.com/pastebin" rel="nofollow" title="Follow us on Twitter" target="_blank"></a>
                            </div>

        </div>
    </div>
</footer>
    


    
<div class="popup-container">

                <div class="popup-box -cookies" data-name="l2c_1">
            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the <a href="/doc_cookies_policy">Cookies Policy</a>.            &nbsp;<span class="cookie-button js-close-cookies">OK, I Understand</span>
        </div>
    
                <div class="popup-box -pro" data-name="l2c_2_pg">
            <div class="pro-promo-img">
                <a href="/signup">
                    <img src="/themes/pastebin/img/hello.png" alt=""/>
                </a>
            </div>
            <div class="pro-promo-text">
                Not a member of Pastebin yet?<br/>
                <a href="/signup"><b>Sign Up</b></a>, it unlocks many cool features!            </div>
            <div class="close js-close-pro-guest" title="Close Me">&nbsp;</div>
        </div>
    
    
    
</div>
    

<span class="cd-top"></span>

<script src="/assets/9ce1885/jquery.min.js"></script>
<script src="/assets/f04f76b8/yii.js"></script>
<script>
    const POST_EXPIRATION_NEVER = 'N';
    const POST_EXPIRATION_BURN = 'B';
    const POST_STATUS_PUBLIC = '0';
    const POST_STATUS_UNLISTED = '1';
</script>
<script src="/themes/pastebin/js/vendors.bundle.js?ec0a0b6023b5e6c9982d"></script>
<script src="/themes/pastebin/js/app.bundle.js?ec0a0b6023b5e6c9982d"></script>

</body>
</html>
